Hi,
I’m having a hard time figuring out how to whitelist events from specific ASNNumber.
I created a postoverflow whitelist in /etc/crowdsec/postoverflows/s01-whitelist/zz-whitelist-AS.yaml
and tried various expressions without success.
Here are the ones that pass the compilation, but the ASNumber
seems to be empty at runtime:
name: zz-whitelist-AS
description: Whitelist some AS
debug: true
whitelist:
reason: Whitelisted AS
expression:
- evt.Enriched.ASNNumber in [3215, 15557, 12322, 5410]
- evt.Meta.ASNNumber in [3215, 15557, 12322, 5410]
- evt.Overflow.Sources.AsNumber in [3215, 15557, 12322, 5410]
Here is the debug output from theses expressions:
-
evt.Enriched.ASNumber
→level=debug msg=" evt.Enriched.ASNNumber = ''"
-
evt.Meta.ASNNumber
→msg=" evt.Meta.ASNNumber = ''"
-
evt.Overflow.Sources.AsNumber
→msg=" evt.Overflow.Sources.AsNumber = '{ 0 0 <nil> <nil>}'"
Is it possible to whitelist events based on ASNNumber
?
Thanks.